[coreboot] New Defects reported by Coverity Scan for coreboot
scan-admin at coverity.com
scan-admin at coverity.com
Sat Jan 10 16:18:04 CET 2015
Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
12 new defect(s) introduced to coreboot found with Coverity Scan.
12 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 12 of 12 defect(s)
** CID 1255943: Dereference null return value (NULL_RETURNS)
/src/cpu/amd/agesa/s3_resume.c: 164 in move_stack_high_mem()
/src/cpu/amd/pi/s3_resume.c: 164 in move_stack_high_mem()
** CID 1262213: Out-of-bounds access (ARRAY_VS_SINGLETON)
/src/cpu/x86/car.c: 102 in do_car_migrate_variables()
** CID 1262212: Unchecked return value (CHECKED_RETURN)
/src/cpu/intel/hyperthreading/intel_sibling.c: 49 in intel_sibling_init()
** CID 1262211: Unchecked return value (CHECKED_RETURN)
/src/southbridge/intel/i82801gx/lpc.c: 220 in i82801gx_power_options()
** CID 1262210: Unchecked return value (CHECKED_RETURN)
/src/southbridge/intel/i82801gx/smihandler.c: 286 in southbridge_smi_sleep()
** CID 1262209: Logically dead code (DEADCODE)
/src/soc/intel/broadwell/igd.c: 429 in igd_cdclk_init_broadwell()
** CID 1262208: Division or modulo by zero (DIVIDE_BY_ZERO)
/payloads/libpayload/arch/arm64/main.c: 46 in test_exception()
** CID 1262207: Self assignment (NO_EFFECT)
/src/soc/intel/broadwell/finalize.c: 107 in broadwell_finalize()
** CID 1262206: Unsigned compared against 0 (NO_EFFECT)
/payloads/libpayload/libc/memory.c: 91 in default_memmove()
** CID 1262205: Dereference null return value (NULL_RETURNS)
/src/drivers/intel/fsp/fsp_util.c: 192 in print_fsp_info()
** CID 1262204: Dereference null return value (NULL_RETURNS)
/src/drivers/intel/fsp/fsp_util.c: 265 in find_fsp_hob_update_mrc()
** CID 1262203: Out-of-bounds read (OVERRUN)
/coreboot-builds/amd_olivehillplus/agesa/amdlib.c: 1411 in IdsErrorStop()
________________________________________________________________________________________________________
*** CID 1255943: Dereference null return value (NULL_RETURNS)
/src/cpu/amd/agesa/s3_resume.c: 164 in move_stack_high_mem()
158
159 static void move_stack_high_mem(void)
160 {
161 void *high_stack;
162
163 high_stack = cbmem_find(CBMEM_ID_RESUME_SCRATCH);
>>> CID 1255943: Dereference null return value (NULL_RETURNS)
>>> Dereferencing a pointer that might be null "high_stack" when calling "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
164 memcpy(high_stack, (void *)BSP_STACK_BASE_ADDR,
165 (CONFIG_HIGH_SCRATCH_MEMORY_SIZE - BIOS_HEAP_SIZE));
166
167 __asm__
168 volatile ("add %0, %%esp; add %0, %%ebp; invd"::"g"
169 (high_stack - BSP_STACK_BASE_ADDR)
/src/cpu/amd/pi/s3_resume.c: 164 in move_stack_high_mem()
158
159 static void move_stack_high_mem(void)
160 {
161 void *high_stack;
162
163 high_stack = cbmem_find(CBMEM_ID_RESUME_SCRATCH);
>>> CID 1255943: Dereference null return value (NULL_RETURNS)
>>> Dereferencing a pointer that might be null "high_stack" when calling "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
164 memcpy(high_stack, (void *)BSP_STACK_BASE_ADDR,
165 (CONFIG_HIGH_SCRATCH_MEMORY_SIZE - BIOS_HEAP_SIZE));
166
167 __asm__
168 volatile ("add %0, %%esp; add %0, %%ebp; invd"::"g"
169 (high_stack - BSP_STACK_BASE_ADDR)
________________________________________________________________________________________________________
*** CID 1262213: Out-of-bounds access (ARRAY_VS_SINGLETON)
/src/cpu/x86/car.c: 102 in do_car_migrate_variables()
96 car_migrated = ~0;
97
98 /* Call all the migration functions. */
99 migrate_func = &_car_migrate_start;
100 while (*migrate_func != NULL) {
101 (*migrate_func)();
>>> CID 1262213: Out-of-bounds access (ARRAY_VS_SINGLETON)
>>> Using "migrate_func" as an array. This might corrupt or misinterpret adjacent memory locations.
102 migrate_func++;
103 }
104 }
105
106 void car_migrate_variables(void)
107 {
108 if (!IS_ENABLED(CONFIG_BROKEN_CAR_MIGRATE))
109 do_car_migrate_variables();
________________________________________________________________________________________________________
*** CID 1262212: Unchecked return value (CHECKED_RETURN)
/src/cpu/intel/hyperthreading/intel_sibling.c: 49 in intel_sibling_init()
43 unsigned i, siblings;
44 struct cpuid_result result;
45
46 /* On the bootstrap processor see if I want sibling cpus enabled */
47 if (first_time) {
48 first_time = 0;
>>> CID 1262212: Unchecked return value (CHECKED_RETURN)
>>> Calling "get_option" without checking return value (as is done elsewhere 15 out of 18 times).
49 get_option(&disable_siblings, "hyper_threading");
50 }
51 result = cpuid(1);
52 /* Is hyperthreading supported */
53 if (!(result.edx & (1 << 28))) {
54 return;
________________________________________________________________________________________________________
*** CID 1262211: Unchecked return value (CHECKED_RETURN)
/src/southbridge/intel/i82801gx/lpc.c: 220 in i82801gx_power_options()
214 // reg8 &= ~(1 << 2); /* PCI SERR# Enable */
215 reg8 |= (1 << 2); /* PCI SERR# Disable for now */
216 outb(reg8, 0x61);
217
218 reg8 = inb(0x70);
219 nmi_option = NMI_OFF;
>>> CID 1262211: Unchecked return value (CHECKED_RETURN)
>>> Calling "get_option" without checking return value (as is done elsewhere 15 out of 18 times).
220 get_option(&nmi_option, "nmi");
221 if (nmi_option) {
222 printk(BIOS_INFO, "NMI sources enabled.\n");
223 reg8 &= ~(1 << 7); /* Set NMI. */
224 } else {
225 printk(BIOS_INFO, "NMI sources disabled.\n");
________________________________________________________________________________________________________
*** CID 1262210: Unchecked return value (CHECKED_RETURN)
/src/southbridge/intel/i82801gx/smihandler.c: 286 in southbridge_smi_sleep()
280 u8 s5pwr = CONFIG_MAINBOARD_POWER_ON_AFTER_POWER_FAIL;
281
282 // save and recover RTC port values
283 u8 tmp70, tmp72;
284 tmp70 = inb(0x70);
285 tmp72 = inb(0x72);
>>> CID 1262210: Unchecked return value (CHECKED_RETURN)
>>> Calling "get_option" without checking return value (as is done elsewhere 15 out of 18 times).
286 get_option(&s5pwr, "power_on_after_fail");
287 outb(tmp70, 0x70);
288 outb(tmp72, 0x72);
289
290 /* First, disable further SMIs */
291 reg8 = inb(pmbase + SMI_EN);
________________________________________________________________________________________________________
*** CID 1262209: Logically dead code (DEADCODE)
/src/soc/intel/broadwell/igd.c: 429 in igd_cdclk_init_broadwell()
423 /* CD clock frequency 675MHz not supported on ULT */
424 if (cpu_is_ult() && cdclk == GT_CDCLK_675)
425 cdclk = GT_CDCLK_540;
426
427 /* Set variables based on CD Clock setting */
428 switch (cdclk) {
>>> CID 1262209: Logically dead code (DEADCODE)
>>> Execution cannot reach this statement: "case 0:".
429 case GT_CDCLK_337:
430 cdset = 337;
431 lpcll = (1 << 27);
432 pwctl = 2;
433 dpdiv = 169;
434 break;
________________________________________________________________________________________________________
*** CID 1262208: Division or modulo by zero (DIVIDE_BY_ZERO)
/payloads/libpayload/arch/arm64/main.c: 46 in test_exception()
40 int test_exception(void);
41 int test_exception(void)
42 {
43 int a = 1;
44 int b = 0;
45 test_exc = 1;
>>> CID 1262208: Division or modulo by zero (DIVIDE_BY_ZERO)
>>> In expression "a / b", division by expression "b" which may be zero has undefined behavior.
46 return a/b;
47 }
48
49 /**
50 * This is our C entry function - set up the system
51 * and jump into the payload entry point.
________________________________________________________________________________________________________
*** CID 1262207: Self assignment (NO_EFFECT)
/src/soc/intel/broadwell/finalize.c: 107 in broadwell_finalize()
101 reg_script_run_on_dev(PCH_DEV_LPC, pch_finalize_script);
102
103 /* Read+Write the following registers */
104 MCHBAR32(0x6030) = MCHBAR32(0x6030);
105 MCHBAR32(0x6034) = MCHBAR32(0x6034);
106 MCHBAR32(0x6008) = MCHBAR32(0x6008);
>>> CID 1262207: Self assignment (NO_EFFECT)
>>> Assignment operation "*(u32 volatile *)0xfed1e1a4 = *(u32 volatile *)0xfed1e1a4" has no effect.
107 RCBA32(0x21a4) = RCBA32(0x21a4);
108
109 /* Re-init SPI after lockdown */
110 spi_init();
111
112 /* Lock down management engine */
________________________________________________________________________________________________________
*** CID 1262206: Unsigned compared against 0 (NO_EFFECT)
/payloads/libpayload/libc/memory.c: 91 in default_memmove()
85
86 offs = n - (n % sizeof(unsigned long));
87
88 for (i = (n % sizeof(unsigned long)) - 1; i >= 0; i--)
89 ((u8 *)dst)[i + offs] = ((u8 *)src)[i + offs];
90
>>> CID 1262206: Unsigned compared against 0 (NO_EFFECT)
>>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "i >= 0UL".
91 for (i = n / sizeof(unsigned long) - 1; i >= 0; i--)
92 ((unsigned long *)dst)[i] = ((unsigned long *)src)[i];
93
94 return dst;
95 }
96
________________________________________________________________________________________________________
*** CID 1262205: Dereference null return value (NULL_RETURNS)
/src/drivers/intel/fsp/fsp_util.c: 192 in print_fsp_info()
186 if ((u32)fsp_header_ptr < 0xff) {
187 post_code(0x4F); /* output something in case there is no serial */
188 die("Can't find the FSP!\n");
189 }
190
191 if (FspHobListPtr == NULL) {
>>> CID 1262205: Dereference null return value (NULL_RETURNS)
>>> Dereferencing a null pointer "cbmem_find(1213153825U)".
192 FspHobListPtr = (void*)*((u32*) cbmem_find(CBMEM_ID_HOB_POINTER));
193 }
194
195 printk(BIOS_SPEW,"fsp_header_ptr: %p\n", fsp_header_ptr);
196 printk(BIOS_INFO,"FSP Header Version: %d\n", fsp_header_ptr->HeaderRevision);
197 printk(BIOS_INFO,"FSP Revision: %d.%d\n",
________________________________________________________________________________________________________
*** CID 1262204: Dereference null return value (NULL_RETURNS)
/src/drivers/intel/fsp/fsp_util.c: 265 in find_fsp_hob_update_mrc()
259 }
260 #endif /* CONFIG_ENABLE_MRC_CACHE */
261
262 static void find_fsp_hob_update_mrc(void *unused)
263 {
264 /* Set the global HOB list pointer */
>>> CID 1262204: Dereference null return value (NULL_RETURNS)
>>> Dereferencing a null pointer "cbmem_find(1213153825U)".
265 FspHobListPtr = (void*)*((u32*) cbmem_find(CBMEM_ID_HOB_POINTER));
266
267 if (!FspHobListPtr){
268 printk(BIOS_ERR, "ERROR: Could not find FSP HOB pointer in CBFS!\n");
269 } else {
270 /* 0x0000: Print all types */
________________________________________________________________________________________________________
*** CID 1262203: Out-of-bounds read (OVERRUN)
/coreboot-builds/amd_olivehillplus/agesa/amdlib.c: 1411 in IdsErrorStop()
1405 } post = {0xDEAD, FileCode, 0xDEAD, FileCode};
1406 UINT16 offset = 0;
1407 UINT16 j;
1408
1409 while(1) {
1410 offset %= sizeof(struct POST) / 2;
>>> CID 1262203: Out-of-bounds read (OVERRUN)
>>> Overrunning array of 3 4-byte elements at element index 15 (byte offset 60) by dereferencing pointer "(UINT32 *)(&post + offset)".
1411 WriteIo32(80, *((UINT32*)(&post+offset)));
1412 ++offset;
1413 for (j=0; j<250; ++j) {
1414 ReadIo8(80);
1415 }
1416 }
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, http://scan.coverity.com/projects/1016?tab=overview
To manage Coverity Scan email notifications for "coreboot at coreboot.org", click http://scan.coverity.com/subscriptions/edit?email=coreboot%40coreboot.org&token=8ddd1fe26945626880b796e94d465567 .
More information about the coreboot
mailing list